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DETAILED ACTION 

1. Claims 1-13 have been examined. 

Claim Rejections - 35 USC § 101 

2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claims 1-13 rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

4. Claims 1 ,5,8-13 are directed a computer-implemented method for determining 
network security threat level. The examiner respectfully asserts that the claimed subject 
matter does not fall within the statutory classes listed in 35 USC 101. The claimed steps 
do not result in a useful/practical outcome at the end. Claims 1,5,8-13 are rejected as 
being directed to an abstract idea that fails to produce a real-world result [Benson, 409 
U.S at 71-72, 175 USPQ at 676-77]. Claims 2-4 and 6-7 are depend on claims 1 and 5 
therefore they rejected on the same rational. 

Claim Rejections -35 USC §102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
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granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

6. Claims 5-12 are rejected under 35 U.S.C. 102(e) as being anticipated by Farley 
et al (hereinafter referred as Farley) US Patent 7,089,428 B2. 

7. As per claim 5: Farley disclose a method for determining network security threat 
level, comprising the steps of: receiving event data in response to an identified network 
event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 61 
through col 10 line 28); and based upon the event data (Fig 5b step 505); determining a 
host threat level based upon a threat weighting assigned to the host associated with a 
threat weighting assigned to a host network block of which the host is a member (See 
col 12 line 30 through col 13 line 20). 

8. As per claim 6: Farley discloses a method wherein the host is a source device 
(See Fig 5D step 503 and Fig 5F step 513). 

9. As per claim 7: Farley discloses a method wherein the host is a destination 
device (See Fig 5F step 513). 

10. As per claim 8: Farley discloses a method for determining network security 
threat level, comprising the steps of: receiving event data in response to an identified 
network event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 
61 through col 10 line 28); determining an event type based upon the event data (See 
Fig 5B and See col 12 line 30 through col 13 line 20); and determining a source threat 
based upon a source threat weighting assigned to the source for the event type 
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associated with a network block threat weighting for the event type assigned to a host 
network block of which the host is a member(See Fig 5F step 513 and See col 12 line 
30 through col 13 line 20). 

11. As per claim 9: Farley discloses a method for determining network security threat 
level, comprising the steps of: receiving event data in response to an identified network 
event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 61 
through col 10 line 28); determining an event type based upon the event data (See Fig 
5A step 28, Fig 5b step 505 and col 9 line 61 through col 10 line 28); and determining a 
destination threat value based upon a destination threat weighting assigned to the 
destination for the event type associated with a network block threat weighting for the 
event type assigned to a host network block of which the host is a member(See Fig 5F 
step 513 and col 19 lines 10-46); determining a destination vulnerability by associating 
the destination threat value with a destination vulnerability value based upon a 
vulnerability of a destination host for the event type(See col 1 5 lines 24-38, col 1 7 lines 
33-46 and col 19 lines 10-46). 

12. As per claim 10: Farley discloses a method for determining network security 
threat level, comprising the steps of: receiving event data in response to an identified 
network event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 
61 through col 10 line 28); determining an event type based upon the event data (See 
Fig 5A step 28, Fig 5b step 505 and col 9 line 61 through col 10 line 28); and 
determining a source threat based upon a source threat weighting assigned to a source 
for the event type associated with a network block threat weighting for the event type 
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assigned to a host network block of which the host is a member(See Fig 5F step 513 
and See col 12 line 30 through col 13 line 20). determining a destination threat value 
based upon a destination threat weighting assigned to the destination for the event type 
associated with a network block threat weighting for the event type assigned to a host 
network block of which the host is a member(See Fig 5F step 513 and col 19 lines 10- 
46); determining a destination vulnerability by associating the destination threat value 
with a destination vulnerability value based upon a vulnerability of a destination host for 
the event type(See col 15 lines 24-38,col 17 lines 33-46 and col 19 lines 10- 
46);determining an event validity based upon the source and the event type(See col 15 
lines 24-38,col 17 lines 33-46 and col 19 lines 10-46); and determining an event severity 
base upon the event type(See Fig 5Bstep 555 and col 10 lines 29-34); and calculating 
the network security threat based upon the source threat,- the destination vulnerability, 
the event validity, and the event severity(See col 23 line 61 through col 24 line 46 and 
Fig 7). 

1 3. As per claim 1 1 : Farley discloses a method for determining network security 
threat level, comprising the steps of: receiving event data in response to an identified 
network event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 
61 through col 10 line 28); determining an event type based upon the event data(See 
Fig 5Bstep 555 and col 10 lines 29-34); and determining a source threat based upon a 
source threat weighting assigned to a source for the event type associated with a 
network block threat weighting for the event type assigned to a host network block of 
which the host is a member(See Fig 5F step 513 and See col 12 line 30 through col 13 
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line 20); determining a destination threat value based upon a destination threat 
weighting assigned to the destination for the event type associated with a network block 
threat weighting for the event type assigned to a host network block of which the host is 
a member(See col 15 lines 24-38, col 17 lines 33-46 and col 19 lines 10-46); 
determining a destination vulnerability by associating the destination threat value with a 
destination vulnerability value eased upon a vulnerability of a destination host for the 
event type(See col 15 lines 24-38,col 17 lines 33-46 and col 19 lines 10-46); 
determining an event validity based upon the source and the event type(See col 15 
lines 24-38,col 17 lines 33-46 and col 19 lines 10-46); and determining an event severity 
base upon the event type(See col 15 lines 24-38,col 17 lines 33-46 and col 19 lines 10- 
46); calculating an event threat based upon the source threat, the destination 
vulnerability, the event validity, and the event severity(See col 15 lines 24-38, col 17 
lines 33-46 and col 19 lines 10-46); calculating a compound host threat by associating a 
plurality of event threats over a time period with a number of correlated events in the 
time period(See col 15 lines 24-38, col 24 lines 1-39). 

14. As per claim 12: Farley discloses a method for determining network security 
threat level, comprising the steps of: receiving event data in response to an identified 
network event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 
61 through col 10 line 28); determining an event type based upon the event data (See 
Fig 5Bstep 555 and col 10 lines 29-34); and determining a source threat based upon a 
source threat weighting assigned to a source for the event type associated with a 
network block threat weighting for the event type assigned to a host network block of 
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which the host is a member(See Fig 5F step 513 and See col 12 line 30 through col 13 
line 20); determining a destination threat value based upon a destination threat 
weighting assigned to the destination for the event type associated with a network block 
threat weighting for the event type assigned to a host network block of which the host is 
a member(See col 15 lines 24-38,col 17 lines 33-46 and col 19 lines 10-46); 
determining a destination vulnerability by associating the destination threat value with a 
destination vulnerability value based upon a vulnerability of a destination host for the 
event type(See col 15 lines 24-38,col 17 lines 33-46 and col 19 lines 10-46); 
determining an event validity based upon the source and the event type(See Fig 5Bstep 
555 and col 10 lines 29-34); and determining an event severity base upon the event 
typeQ; determining an event threat based upon the source threat, the destination 
vulnerability, the event validity, and the event severity(See col 15 lines 24-38, col 17 
lines 33-46 and col 19 lines 10-46); determining a first compound host threat value by 
associating a first plurality of event threats over a first time period with a first frequency 
number of correlated events in the first time period(See col 15 lines 24-38,col 17 lines 
33-46 and col 19 lines 10-46); determining a second compound host threat value by 
associating a second plurality of event threats over a second time period greater than 
the first time period with a second frequency number of correlated events in the second 
time period; and determining a differential threat level by associating the first compound 
host threat value with the second host threat value(See col 15 lines 24-38, col 24 lines 1- 
39). 

Claim Rejections - 35 USC § 103 
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15. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

16. Claims 1,13 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Farley et al (hereinafter referred as Farley) US Patent 7,089,428 B2 in view of Mcclure 
et al(hereinafter referred as Mcclure) US patent no 7152105 B2. 

17. As per claims 1: Farley discloses a computer-implemented method for 
determining network security threat level, comprising the steps of: receiving event data 
in response to identified network event detected by a sensor (See Fig 5A step 28, Fig 
5b step 505 and col 9 line 61 through col 10 line 28); based upon the event data, 
perform the following step: determining a source threat value, the source threat value 
based upon a source threat weight for a source IP address and a first range of IP 
network addresses of which the source IP address is a member (See Fig 5F step 513 
and See col 12 line 30 through col 13 line 20); determining a destination vulnerability 
value, the destination vulnerability value based upon the network event in conjunction 
with a destination IP address, a destination threat weight for the destination IP address, 
and a threat level value associated with a second range of network IP address of which 
the destination IP address is a member(See col 15 lines 24-38, col 17 lines 33-46 and 
col 19 lines 10-46); determining an event validity value based upon the source IP 
address and an event type determining event severity value based upon the event 
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type(See col 23 line 61 through col 24 line 46 and Fig 7); calculating an event threat 
level value based upon the source threat value, the destination vulnerability value, the 
event validity value, and the event severity value(See col 23 line 61 through col 24 line 
46 and Fig 7); 

Farley does not explicitly disclose calculating a host threat level value based 
upon a summation of event threat level values for a host over a first time period 
associated with a number of correlated events for the host in the first time period; and 
calculating a differential threat level by associating the host threat level value with a 
second host threat level value based upon a second time period wherein the second 
time period exceeds the first time period. 

However Mcclure teach calculating a host threat level value based upon a 
summation of event threat level values for a host over a first time period associated with 
a number of correlated events for the host in the first time period (See col 9 line 17 
through col 10 line 28); and calculating a differential threat level by associating the host 
threat level value with a second host threat level value based upon a second time 
period wherein the second time period exceeds the first time period (See col 9 line 17 
through col 10 line 28). 

Therefore it would have been obvious to one ordinary skill in the art at that time 
the invention was made to modify the teaching method of Mcclure within Farley method 
inorder to provides a computer security management system that can log, investigate, 
respond to, and track computer security incidents that can occur in networked computer 
system (See Mcclure col 3 lines 25-29). 
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18. As per claim 13: Farley discloses a method for determining network security 
threat level, comprising the steps of: receiving event data in response to an identified 
network event detected by a sensor (See Fig 5A step 28, Fig 5b step 505 and col 9 line 
61 through col 10 line 28); determining an event type based upon the event data (See 
Fig 5Bstep 555 and col 10 lines 29-34); based upon the event data, perform the 
following steps: 

Farley does not explicitly disclose determining a first host frequency threat level 
value by summing event threat level values for a host over a first time period dividing by 
the number of correlated events for the host in the first time period; determining a 
second host frequency threat level value by summing event threat level values for the 
host over a second time period greater than the first time period and associated with the 
number of correlated events for the host in the second time period; and determining a 
differential threat level numerator by multiplication of the first host frequency threat level 
value by the second time period; determining a differential threat level denominator by 
multiplying the second host frequency value by the first time period, and calculating a 
differential threat level by diving the differential threat level numerator by the differential 
threat level denominator. 

However Mcclure disclose determining a first host frequency threat level value by 
summing event threat level values for a host over a first time period dividing by the 
number of correlated events for the host in the first time period (See col 9 line 17 
through col 10 line 28); determining a second host frequency threat level value by 
summing event threat level values for the host over a second time period greater than 
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the first time period and associated with the number of correlated events for the host in 
the second time period(See col 9 line 17 through col 10 line 28); and determining a 
differential threat level numerator by multiplication of the first host frequency threat level 
value by the second time period; determining a differential threat level denominator by 
multiplying the second host frequency value by the first time period, and calculating a 
differential threat level by diving the differential threat level numerator by the differential 
threat level denominator(See col 9 line 17 through col 10 line 28). 

Therefore it would have been obvious to one ordinary skill in the art at that time 
the invention was made to modify the teaching method of Mcclure within Farley method 
inorder to provides a computer security management system that can log, investigate, 
respond to, and track computer security incidents that can occur in networked computer 
system (See Mcclure col 3 lines 25-29). 

19. Claims 2-4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Farley 
et al (hereinafter referred as Farley) US Patent 7,089,428 B2 in view of Mcclure et 
al(hereinafter referred as Mcclure) US patent no 7152105 B2 and further in view of 
Black et al(US Patent No 6,928,556 B2) . 

20. As per claim 2: the combination of Farley and Mcclure disclose claim 1 as recited 
above. The combination of Farley and Mcclure do not explicitly disclose further 
comparing the event threat level value to an event alert value; and generating an alarm 
when the event threat level value exceeds the event alert value(Fig 7 step 
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708). However Black disclose comparing the event threat level value to an event alert 
value(See Fig 7 steps 704,706); and generating an alarm when the event threat level 
value exceeds the event alert value(Fig 7 step 708). 

Therefore it would have been obvious to one ordinary skill in the art at that time 
the invention was made to modify the teaching method of Black within the combination 
Mcclure and Farley method inorder to provides a computer security management 
system that can log, investigate, respond to, and track computer security incidents that 
can occur in networked computer system (See Mcclure col 3 lines 25-29). 

21 . As per claim 3: the combination of Farley and Mcclure disclose claim 1 as recited 
above. The combination of Farley and Mcclure do not explicitly disclose further 
comparing the compound host threat level value to an event alert value; and generating 
an alarm when the host threat level value exceeds the event alert value. However Black 
disclose comparing the event threat level value to an event alert value(See Fig 7 steps 
704,706); and generating an alarm when the event threat level value exceeds the event 
alert value(Fig 7 step 708). 

Therefore it would have been obvious to one ordinary skill in the art at that time 
the invention was made to modify the teaching method of Black within the combination 
Mcclure and Farley method inorder to provides a computer security management 
system that can log, investigate, respond to, and track computer security incidents that 
can occur in networked computer system (See Mcclure col 3 lines 25-29). 

22. As per claim 4: the combination of Farley and Mcclure disclose claim 1 as recited 
above. The combination of Farley and Mcclure do not explicitly disclose further 
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comparing the differential threat level value to a differential alert value; and generating 
an alarm when the differential threat level exceeds the differential alert value. However 
Black disclose comparing the differential threat level value to a differential alert 
value(See Fig 7 steps 704,706); and generating an alarm when the differential threat 
level exceeds the differential alert(Fig 7 step 708). 

Therefore it would have been obvious to one ordinary skill in the art at that time 
the invention was made to modify the teaching method of Black within the combination 
Mcclure and Farley method inorder to provides a computer security management 
system that can log, investigate, respond to, and track computer security incidents that 
can occur in networked computer system (See Mcclure col 3 lines 25-29). 

Conclusion 

23. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. See PTO 892. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Fikremariam Yalew whose telephone number is 
5712723852. The examiner can normally be reached on 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Moazzami Nasser.can be reached on 5712738300. The fax phone number 
for the organization where this application or proceeding is assigned is 571-272-4195. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 



Application/Control Number: 10/649,804 



Page 14 



Art Unit: 2136 

published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Fikremariam Yalew Art Unit 21 36 
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